Home / ory / hydra
Repository Analysis

ory/hydra

Internet-scale OpenID Certified™ OpenID Connect and OAuth2.1 provider that integrates with your user management through headless APIs. Solve OIDC/OAuth2 user cases over night. Consume as a service on Ory Network or self-host. Trusted by OpenAI and many others for scale and security. Written in Go.

3.4 Likely human-written View on GitHub
3.4
Adjusted Score
3.4
Raw Score
100%
Time Factor
2026-05-28
Last Push
17,185
Stars
Go
Language
301,489
Lines of Code
1789
Files
919
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 0HIGH 13MEDIUM 26LOW 880

Pattern Findings

919 matches across 9 categories. Click a row to expand file-level details.

Fake / Example Data458 hits · 458 pts
SeverityFileLineSnippet
LOWcmd/cmd_delete_client.go22To delete OAuth 2.0 Clients with the owner of "foo@bar.com", run:
LOWcmd/cmd_delete_client.go24 {{ .CommandPath }} $({{ .Root.Name }} list oauth2-clients --format json | jq -r 'map(select(.contacts[] == "foo@bar.com
LOWcypress/integration/oauth2/introspect.js40 expect(body.body.sub).to.be.equal("foo@bar.com")
LOWcypress/integration/oauth2/introspect.js67 expect(body.body.sub).to.be.equal("foo@bar.com")
LOWcypress/integration/oauth2/authorize_error.js148 cy.get("#email").type("foo@bar.com", { delay: 1 })
LOWcypress/integration/oauth2/jwt.js53 expect(body.sub).to.eq("foo@bar.com")
LOWcypress/integration/openid/userinfo.js33 expect(sub).to.eq("foo@bar.com")
LOWcypress/integration/openid/authorize_code.js39 expect(sub).to.eq("foo@bar.com")
LOWcypress/support/commands.js47 username = "foo@bar.com",
LOWcypress/support/commands.js122 username = "foo@bar.com",
LOWcypress/support/commands.js236 username = "foo@bar.com",
LOWtest/conformance/config.json20 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json52 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json85 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json118 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json151 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json184 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json220 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json329 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json360 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json402 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json434 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json468 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json526 ["text", "id", "email", "foo@bar.com"],
LOWtest/conformance/config.json559 ["text", "id", "email", "foo@bar.com"],
LOWoauth2/oauth2_auth_code_test.go138 IdToken: map[string]interface{}{"bar": "baz", "email": "foo@bar.com"},
LOWoauth2/oauth2_auth_code_test.go448 IdToken: map[string]interface{}{"email": "foo@bar.com", "bar": "baz"},
LOWoauth2/.snapshots/TestUnmarshalSession-v1.11.9.json6 "sub": "foo@bar.com",
LOWoauth2/.snapshots/TestUnmarshalSession-v1.11.9.json35 "subject": "foo@bar.com"
LOWoauth2/.snapshots/TestUnmarshalSession-v1.11.8.json6 "sub": "foo@bar.com",
LOWoauth2/.snapshots/TestUnmarshalSession-v1.11.8.json35 "subject": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-Req-login_hint.txt130 "login_hint": "foo@bar.com",
LOWinternal/certification/CI.F.T.T.s/OP-Req-login_hint.txt157 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-UserInfo-Body.txt154 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-UserInfo-Body.txt187 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-UserInfo-Body.txt199 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-UserInfo-Body.txt202 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-Req-acr_values.txt156 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-Req-acr_values.txt190 "sub": "foo@bar.com"
LOW…rnal/certification/CI.F.T.T.s/OP-Req-max_age=10000.txt154 "sub": "foo@bar.com"
LOW…rnal/certification/CI.F.T.T.s/OP-Req-max_age=10000.txt187 "sub": "foo@bar.com"
LOW…rnal/certification/CI.F.T.T.s/OP-Req-max_age=10000.txt222 "sub": "foo@bar.com"
LOW…rnal/certification/CI.F.T.T.s/OP-Req-max_age=10000.txt255 "sub": "foo@bar.com"
LOW…ternal/certification/CI.F.T.T.s/OP-UserInfo-Header.txt154 "sub": "foo@bar.com"
LOW…ternal/certification/CI.F.T.T.s/OP-UserInfo-Header.txt187 "sub": "foo@bar.com"
LOW…ternal/certification/CI.F.T.T.s/OP-UserInfo-Header.txt199 "sub": "foo@bar.com"
LOW…ternal/certification/CI.F.T.T.s/OP-UserInfo-Header.txt202 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-prompt-login.txt154 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-prompt-login.txt187 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-prompt-login.txt225 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-prompt-login.txt258 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-OAuth-2nd.txt155 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-OAuth-2nd.txt188 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-Req-ui_locales.txt156 "sub": "foo@bar.com"
LOWinternal/certification/CI.F.T.T.s/OP-display-popup.txt156 "sub": "foo@bar.com"
LOW…/certification/CI.F.T.T.s/OP-Registration-logo_uri.txt157 "sub": "foo@bar.com"
LOW…rnal/certification/CI.F.T.T.s/OP-Registration-jwks.txt221 "sub": "foo@bar.com"
LOW…rnal/certification/CI.F.T.T.s/OP-Registration-jwks.txt256 "sub": "foo@bar.com"
LOW…rtification/CI.F.T.T.s/OP-ClientAuth-Basic-Dynamic.txt155 "sub": "foo@bar.com"
LOW…rtification/CI.F.T.T.s/OP-ClientAuth-Basic-Dynamic.txt188 "sub": "foo@bar.com"
398 more matches not shown…
Over-Commented Block395 hits · 337 pts
SeverityFileLineSnippet
LOWquickstart-prometheus.yml1###########################################################################
LOWquickstart-tracing.yml1###########################################################################
LOWquickstart-tracing.yml21 # - TRACING_PROVIDER=zipkin
LOWquickstart-tracing.yml41 ### Opentelemetry ###
LOWquickstart-tracing.yml61# - DD_APM_NON_LOCAL_TRAFFIC=true
LOWquickstart-debug.yml1###########################################################################
LOWquickstart-postgres.yml1###########################################################################
LOWquickstart.yml1###########################################################################
LOWquickstart-mysql.yml1###########################################################################
LOWquickstart-cors.yml1###########################################################################
LOWquickstart-cockroach.yml1###########################################################################
LOWquickstart-jwt.yml1###########################################################################
LOWquickstart-hsm.yml1###########################################################################
LOWcypress/plugins/index.js1// Copyright © 2022 Ory Corp
LOWcypress/support/index.js1// Copyright © 2022 Ory Corp
LOWcypress/support/commands.js1// Copyright © 2022 Ory Corp
LOWtest/e2e/docker-compose.jwt.yml1###########################################################################
LOWfosite/generate.go1// Copyright © 2025 Ory Corp
LOWfosite/generate.go21//go:generate go tool mockgen -package internal -destination internal/client_manager.go github.com/ory/hydra/v2/fosite C
LOWfosite/generate.go41//go:generate go tool mockgen -package internal -destination internal/refresh_token_strategy_provider.go github.com/ory/
LOWfosite/handler.go1// Copyright © 2025 Ory Corp
LOWfosite/handler.go41 CanHandleTokenEndpointRequest(ctx context.Context, requester AccessRequester) bool
LOWfosite/handler.go61
LOWfosite/config.go301// UseLegacyErrorFormatProvider returns the provider for configuring whether to use the legacy error format.
LOWfosite/authorize_helper.go41// If multiple redirection URIs have been registered, if only part of
LOWfosite/authorize_helper.go81 return nil, errorsx.WithStack(ErrInvalidRequest.WithHint("The 'redirect_uri' parameter does not match any of the OAuth
LOWfosite/access_request_handler.go21// - https://tools.ietf.org/html/rfc6749#section-2.3.1
LOWfosite/revoke_handler.go21// validates various parameters as specified in:
LOWfosite/HISTORY.md361// ErrInvalidatedAuthorizeCode is an error indicating that an authorization code has been
LOWfosite/oauth2.go41
LOWfosite/oauth2.go61 NewAuthorizeRequest(ctx context.Context, req *http.Request) (AuthorizeRequester, error)
LOWfosite/oauth2.go81 // * https://tools.ietf.org/html/rfc6749#section-3.1.2
LOWfosite/oauth2.go101 // authorization server during the client registration process or when
LOWfosite/oauth2.go121
LOWfosite/oauth2.go141 // MUST NOT be included more than once.
LOWfosite/oauth2.go161
LOWfosite/authorize_error_test.go21// - https://tools.ietf.org/html/rfc6749#section-4.1.2.1
LOWfosite/introspection_response_writer.go21// (Unauthorized) as described in Section 5.2 of OAuth 2.0 [RFC6749].
LOWfosite/introspection_response_writer.go61// * active
LOWfosite/introspection_response_writer.go81//
LOWfosite/introspection_response_writer.go101// OPTIONAL. Integer timestamp, measured in the number of seconds
LOWfosite/introspection_response_writer.go121// [RFC7519].
LOWfosite/introspection_response_writer.go141//
LOWfosite/introspection_response_writer.go161// }
LOWfosite/transactional.go1// Copyright © 2025 Ory Corp
LOWfosite/introspection_request_handler.go21//
LOWfosite/introspection_request_handler.go41// help the authorization server optimize the token lookup. If the
LOWfosite/introspection_request_handler.go61// To prevent token scanning attacks, the endpoint MUST also require
LOWfosite/introspection_request_handler.go81//
LOWfosite/token/jwt/token.go161// Parse, validate, and return a token.
LOWfosite/handler/oauth2/revocation_storage.go1// Copyright © 2025 Ory Corp
LOWfosite/handler/oauth2/storage.go21 // GetAuthorizeCodeSession hydrates the session for an authorization code and returns
LOWfosite/handler/pkce/handler.go181 } else if nc == 0 {
LOWfosite/handler/openid/flow_hybrid.go41
LOWfosite/handler/openid/flow_implicit.go41 return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("The OAuth 2.0 Client is not allowed to use the authorization
LOWfosite/handler/openid/validator.go41}
LOWfosite/handler/openid/flow_implicit_test.go121 Scopes: []string{"openid", "fosite"},
LOWfosite/handler/openid/flow_refresh_token_test.go121 },
LOWfosite/compose/compose.go21// AccessTokenLifespan: time.Minute * 30,
LOWfosite/docs/how-tos/client_credentials_grant.md61 // for Token Endpont, for example:
335 more matches not shown…
Slop Phrases24 hits · 72 pts
SeverityFileLineSnippet
MEDIUMquickstart-prometheus.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart-prometheus.yml8# This set up is only for demonstration purposes. The login #
MEDIUMquickstart-tracing.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart-tracing.yml8# This set up is only for demonstration purposes. The login #
MEDIUMquickstart-debug.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart-debug.yml8# This set up is only for demonstration purposes. The login #
MEDIUMquickstart-postgres.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart-postgres.yml8# This set up is only for demonstration purposes. The login #
MEDIUMquickstart.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart.yml8# This set up is only for demonstration purposes. The login #
MEDIUMquickstart-mysql.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart-mysql.yml8# This set up is only for demonstration purposes. The login #
MEDIUMquickstart-cors.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart-cors.yml8# This set up is only for demonstration purposes. The login #
MEDIUMquickstart-cockroach.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart-cockroach.yml8# This set up is only for demonstration purposes. The login #
MEDIUMquickstart-jwt.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart-jwt.yml8# This set up is only for demonstration purposes. The login #
MEDIUMquickstart-hsm.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMquickstart-hsm.yml8# This set up is only for demonstration purposes. The login #
MEDIUMtest/e2e/docker-compose.jwt.yml2####### FOR DEMONSTRATION PURPOSES ONLY #######
MEDIUMtest/e2e/docker-compose.jwt.yml8# This set up is only for demonstration purposes. The login #
MEDIUM…ernal/httpclient/model_accept_o_auth2_login_request.go32 // ForceSubjectIdentifier forces the \"pairwise\" user ID of the end-user that authenticated. The \"pairwise\" user ID
MEDIUMcontrib/quickstart/gitlab/config/gitlab.rb460 # optionally, you can add the following two lines to "white label" the display name
Synthetic Comment Markers9 hits · 68 pts
SeverityFileLineSnippet
HIGHinternal/httpclient/model_o_auth2_login_request.go31 // RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
HIGHinternal/httpclient/model_device_user_auth_request.go32 // RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
HIGHinternal/httpclient/model_verify_user_code_request.go27 // RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
HIGHinternal/httpclient/model_o_auth2_consent_request.go42 // RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
HIGHflow/flow.go133 // RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
HIGHflow/consent_types.go470 // RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
HIGHflow/consent_types.go484 // RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
HIGHflow/consent_types.go505 // RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
HIGHflow/consent_types.go582 // RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
Redundant / Tautological Comments25 hits · 45 pts
SeverityFileLineSnippet
LOWtest/e2e/circle-ci.bash16# Check if any ports that we need are open already
LOWfosite/.github/auto_assign.yml15# Set 0 to add all the reviewers (default: 0)
LOWinternal/config/config.yaml386 # Set this to true if you want to share error debugging information with your OAuth 2.0 clients.
LOWinternal/config/config.yaml398 # Set this to true if you want PKCE to be enforced for all clients.
LOWinternal/config/config.yaml400 # Set this to true if you want PKCE to be enforced for public clients.
LOWinternal/config/config.yaml448 # Set this to the tracing backend you wish to use. Currently supports jaeger. If omitted or empty, tracing will
LOWcontrib/quickstart/gitlab/config/gitlab.rb580#### Set path to an initial license to be used while bootstrapping GitLab.
LOW.github/auto_assign.yml15# Set 0 to add all the reviewers (default: 0)
LOW.github/workflows/cve-scan.yaml36 # Output values for debugging
LOWoryx/configx/stub/benchmark/benchmark.yaml135 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to fal
LOWoryx/configx/stub/benchmark/benchmark.yaml144 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to fal
LOWoryx/configx/stub/benchmark/benchmark.yaml159 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to fal
LOWoryx/configx/stub/benchmark/benchmark.yaml177 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to fal
LOWoryx/configx/stub/benchmark/benchmark.yaml182 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to fal
LOWoryx/configx/stub/benchmark/benchmark.yaml191 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to fal
LOWoryx/configx/stub/benchmark/benchmark.yaml224 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to fal
LOWoryx/configx/stub/benchmark/benchmark.yaml231 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
LOWoryx/configx/stub/benchmark/benchmark.yaml236 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
LOWoryx/configx/stub/benchmark/benchmark.yaml241 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
LOWoryx/configx/stub/benchmark/benchmark.yaml252 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
LOWoryx/configx/stub/benchmark/benchmark.yaml261 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
LOWoryx/configx/stub/benchmark/benchmark.yaml278 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false.
LOWoryx/configx/stub/benchmark/benchmark.yaml286 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false.
LOWoryx/configx/stub/benchmark/benchmark.yaml295 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false.
LOWoryx/configx/stub/benchmark/benchmark.yaml311 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false.
Magic Placeholder Names4 hits · 25 pts
SeverityFileLineSnippet
HIGHquickstart-tracing.yml59# - DD_API_KEY=<YOUR_API_KEY> # Replace it with your DataDog API key
HIGHquickstart-tracing.yml59# - DD_API_KEY=<YOUR_API_KEY> # Replace it with your DataDog API key
HIGHUPGRADE.md8312. Run `$ export DATABASE_URL=<your-database-url>`.
HIGHUPGRADE.md917$ export DATABASE_URL=<your-database-url>
AI Slop Vocabulary2 hits · 6 pts
SeverityFileLineSnippet
MEDIUMfosite/access_request_handler.go33// to directly utilize the HTTP Basic authentication scheme (or other
MEDIUMoryx/landlockx/paths.go15// robust than enumerating every sibling: SQLite manages -journal in
Verbosity Indicators1 hit · 2 pts
SeverityFileLineSnippet
LOWclient/handler.go459 // an empty secret if the secret hasn't changed. As such we need to check if the patch has
Hyper-Verbose Identifiers1 hit · 1 pts
SeverityFileLineSnippet
LOWoauth2/handler.go194 function setAndRegisterTimeout(fct, duration) {